Nowadays the cybercriminals are mainly focusing on credit card theft, as they always try their best to find different methods to successfully execute such thefts.
The cybersecurity researchers at website security company Sucuri have discovered the new exfiltration method while investigating a compromised online shop that was initially running version 2 of the open-source Magento e-commerce platform.
The threat actors have thought of a tricky and illegal way to steal payment card data from negotiated online stores that generally limit the obscure traffic trace and not only that even it also helps the hackers to circumvent the detection.
Apart from this, the analysts have also stated that it was located on the checkout page, and was determined to encode obtained data before saving it to a .JPG file.
After a proper investigation, the analysts have detected the following PHP code, and this code was found inserted into the following file “./vendor/magento/module-customer/Model/Session.PHP.”
However, the function, getAuthenticates was actually designed to load the rest of the malicious code onto the compromised environment.
The code also generates the image file, and it uses the image to store any obtained data. The threat actors use the feature as it allows the attacker to simply access and downloads the stolen data at their leisure while hiding within a JPG.
This kind of incident is also known as the Magecart attacks, and as per the reports, all these attacks have started years ago. That’s why the cybercriminals are continuously gaining easy access to online stores.
They are getting access by a vulnerability or we can say a weakness that was planted with malicious code, which was designed to steal customer card data at the time of checkout.
Moreover, Sucuri also detected a PHP file on the negotiated website that the threat actors had transformed to load further malicious code just by creating and calling the getAuthenticates function.
After a proper investigation of the code, the cybersecurity researchers have determined that the malicious code utilized the Magento framework to catch the data from the checkout page addressed through the Customer_ parameter function.
Nearly all the data that were submitted on the checkout page is already in the Customer_ parameter, which involves the following details:-
- Payment card details
- Phone number
- Postal address
The threat actors always stay in search of various methods to hijack or steal data from victims. The creative practice of the fake .JPG generally enables an attacker to hide and store collected credit card details for prospective use outwardly gaining too much consideration or notice from the website owner.
However, the experts of Sucuri asserted that integrity control checks and website monitoring services should be capable to identify changes such as code adjustments or new files being added, so, it’s very necessary to have a regular check on the website.